b'   July 19, 2002\n\n\n\n\nInformation\nSystem Security\nDoD Web Site Administration,\nPolicies, and Practices\n(D-2002-129)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703)\n  604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nJWRAC                 Joint Web Risk Assessment Cell\nCERT                  Computer Emergency Response Team\n\x0c\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2002-129                                                         July 19, 2002\n   (Project No. D2001AB-0116.002)\n\n            DoD Web Site Administration, Policies, and Practices\n\n                                    Executive Summary\n\nWho Should Read This Report and Why? Web site developers and administrators,\npublic affairs officers, managers responsible for Web site content, and Web site users\nshould read the reports in this series. Those involved with any aspect of a Web site will\nwant to make sure that the content in their sites is up to date, accessible, tamper-proof,\nand yet user friendly. The content must also be a true reflection of the policies of the\nparent organization.\n\nBackground. This report is the third in a series that addresses Internet access, practices,\nand policies. Previous reports covered Web site administration at the Air Force and the\nArmy. The Naval Audit Service issued a separate report based on the audit of Web-site\nadministration at the Navy and the Marine Corps. The \xe2\x80\x9cDoD Web Site Administration\nPolicy and Procedures,\xe2\x80\x9d implemented December 7, 1998, and updated April 26, 2001,\ndescribes procedures for establishing, operating, and maintaining DoD unclassified Web\nsites. The Policy requires heads of DoD Components to establish a process to identify\nappropriate information for posting to Web sites and to ensure the review of all\ninformation placed on publicly accessible Web sites for security levels of sensitivity and\nother concerns before release. In addition, it requires the Assistant Secretary of Defense\nfor Command, Control, Communications, and Intelligence to ensure that DoD agencies\nand the Services comply with the Policy.\n\nOn February 12, 1999, the Deputy Secretary of Defense approved the Joint Web Risk\nAssessment Cell\xe2\x80\x99s Concept of Operations, a plan to use Reserve Components\xe2\x80\x99 assets to\nconduct ongoing security and threat assessments of Components\xe2\x80\x99 Web sites for\ninappropriate information. The Concept of Operations identifies the Defense Information\nSystems Agency as the executive agent for the Joint Web Risk Assessment Cell and\nrequires the executive agent to develop an implementation plan, operating procedures,\nand a reporting mechanism.\n\nResults. As of May 2002, 30 of the 200 disclosures on publicly accessible DoD Web\nsites that the JWRAC previously identified between April and September 2001 as\ninappropriate were still available for public viewing. As a result, DoD Web-site owners\nare not providing consistent levels of assurance that only appropriate information is\nposted on their publicly accessible Web sites. DoD must require DoD agencies and the\nServices to remove from public view Web pages that contain information identified as\npotentially inappropriate in the Joint Web Risk Assessment Cell reports. In addition,\nDoD must establish a mechanism that adjudicates disagreements between the Joint Web\nRisk Assessment Cell and Web-site owners on potentially inappropriate disclosures at\nWeb sites. Further, DoD must publish and comply with the standard operating\nprocedures of the Joint Web Risk Assessment Cell for discrepancy reporting and tracking,\nand maintain an up-to-date database of reported violations.\n\x0cManagement Comments. The Deputy Assistant Secretary of Defense (Security and\nInformation Operations), who responded for the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence), nonconcurred with the\nrecommendation to suspend Web pages that contain potentially inappropriate information\nuntil resolution. She stated that Web site postings are based on operational security\nevaluations at the local commander level and, unless overturned by a higher authority,\ntheir decision is final. The Deputy Assistant Secretary partially concurred to establish a\ntimely adjudication process. The Defense Information Systems Agency concurred with\nthe recommendation to publish the Joint Web Risk Assessment Cell\xe2\x80\x99s Standard Operating\nProcedures for Discrepancy Reporting and Tracking and to establish a database system to\ntrack Web risk-assessment activities.\n\nAudit Response. Of the 200 instances of information deemed inappropriate at DoD Web\nsites, 30 were still available to the general public in May 2002, almost 8 months after the\nJoint Web Risk Assessment Cell issued its September 2001 report that identified the\ninformation. It is evident by the number of occurrences that the review process for\ndetermining the appropriateness of data on Web pages has not been fully successful, and\nthat the existing process and procedures for local commanders to address the content of\ninformation placed on their Web site are inadequate. Accordingly, information that may\nplace DoD at an increased risk must be suspended until resolved through an adjudication\nprocess.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                            i\n\nBackground                                                                  1\n\nObjectives                                                                  3\n\nFinding\n     Inappropriate Information on Publicly Accessible DoD Web Sites          4\n\nAppendixes\n     A. Scope and Methodology\n          Scope and Methodology                                              9\n          Management Control Program Review                                  9\n          Prior Coverage                                                    10\n     B. Results of Reviews at Selected DoD Organizations                    12\n     C. Report Distribution                                                 14\n\nManagement Comments\n     Assistant Secretary of Defense for Command, Control, Communications,\n       and Intelligence                                                     15\n     Defense Information Systems Agency                                     17\n     Defense Logistics Agency                                               19\n\x0cBackground\n\n    DoD Web Page Policy. The \xe2\x80\x9cDoD Web Site Administration Policy and\n    Procedures,\xe2\x80\x9d (the Policy) December 7, 1998, and updated April 26, 2001,\n    describes procedures for establishing, operating, and maintaining DoD\n    unclassified Web sites. The Policy requires heads of DoD agencies and the\n    Services (DoD Components) to establish a process to identify information that is\n    appropriate for posting to Web sites. The Policy requires that all information\n    placed on publicly accessible Web sites is reviewed for security levels of\n    sensitivity and other concerns before the information is released. Inappropriate\n    data include data labeled \xe2\x80\x9cFor Official Use Only,\xe2\x80\x9d \xe2\x80\x9csensitive,\xe2\x80\x9d classified, and\n    other information at one or more sites, which, when combined, would be sensitive\n    or classified, and should not be released to the general public.\n\n    The Policy requires DoD Components to establish procedures for management\n    oversight and regular functional reviews of Web sites and to provide necessary\n    resources to support Web site operations, including funding, staffing, and training.\n    The Policy also requires an annual security assessment of Web sites. Moreover,\n    Components must register each publicly accessible Web site with the Government\n    Information Locator Service, which helps citizens identify, locate, and retrieve\n    information about the Government. The Government Information Locator\n    Service resides on the Defense Link, which is the official Web site for DoD and\n    the starting point for finding military information about defense policy,\n    organizations, functions, and operations online. In addition, the Policy requires\n    the Assistant Secretary of Defense for Command, Control, Communications, and\n    Intelligence to ensure that DoD Components comply with the Policy.\n\n    The Policy defines a DoD Web site as a collection of information organized into a\n    number of Web documents. The information is related to a common subject or set\n    of subjects, including a Home Page, and is linked to subordinate information that\n    is included on a Web page. A Home Page is the index or introductory document\n    for a Web site. A Web site is developed and maintained with command\n    sponsorship, approval, and editorial supervision over content.\n\n    DoD Oversight of Web Content. On February 12, 1999, the Deputy Secretary of\n    Defense approved the Joint Web Risk Assessment Cell (JWRAC) Concept of\n    Operations, a plan to use Reserve Components\xe2\x80\x99 assets to conduct ongoing security\n    and threat assessments of Components\xe2\x80\x99 Web sites. The JWRAC is responsible\n    for analyzing data on DoD Web sites for information that poses potential or real\n    threats to ongoing operations and DoD personnel.\n\n    The Concepts of Operations identifies the Defense Information Systems Agency\n    as the executive agent for JWRAC. As executive agent, the Defense Information\n    Systems Agency exercises operational control over the JWRAC and provides it\n    with legal support, facilities, and other administrative support. The Concept of\n    Operations also requires the executive agent to develop an implementation plan\n    and standard operating procedures for the JWRAC. The standard operating\n    procedures should include procedures for identifying Web sites that contain\n    potentially inappropriate information and define that information as a discrepancy.\n    An implementation plan should also include a process to report the discrepancy to\n\n\n                                         1\n\x0cthe DoD Computer Emergency Response Team (DoD CERT) and the responsible\nService or command entity. The standard operating procedures plan would also\noutline a process to track, verify, and resolve the discrepancy. DoD established\nthe CERT in April 1999 to manage, control, monitor, and protect computer\nnetworks and their infrastructure so that they would be available to support the\nneeds of DoD.\n\nDraft Reporting and Tracking Procedures for the JWRAC. The Defense\nInformation Systems Agency prepared a draft \xe2\x80\x9cJWRAC Standard Operating\nProcedures for Discrepancy Reporting and Tracking.\xe2\x80\x9d The procedures were\nundated, but the DoD CERT verbally approved them for use in May 2001. The\nprocedures describe the process for recording and reporting the results of the\nJWRAC. The procedures state that after the JWRAC analyzes data on DoD Web\nsites for information that poses potential or real threats to ongoing operations and\nDoD personnel, it must prepare an End of Tour Report and send it to the Chief,\nDoD CERT.\n\nThe End of Tour Report contains a description of the discrepancies, actions\nrequired, and a summary of findings. DoD CERT officials then record the\nJWRAC information in its database, which is used to report, monitor, and verify\nremoval of inappropriate information. The JWRAC Team Chief also prepares the\nInitial Notification Message (Message) from the information in the database and\nsends it to the Chief, DoD CERT for review. The Chief, DoD CERT in turn\nreviews the Message and sends it to the Joint Task Force-Computer Network\nOperations who sends it to the organization whose Web site contains the\ninappropriate information.\n\nThe Message contains the Web address of the discrepancy, a description of the\ninappropriate information, an assessment of the risk, and a request to the Web-site\nowner to remove or block the data from public access. The JWRAC Message\nrequires a response time of 12 hours for a critical violation, 48 hours for a major\nviolation, and 14 days for a minor violation. Violations are determined to be\ncritical if they consist of either classified or sensitive information or, when\ncombined with other sensitive information, they may have a significant\noperational impact. Major violations consist of information that is \xe2\x80\x9cFor Official\nUse Only,\xe2\x80\x9d and minor violations consist of other information that may not be\nposted on official Web sites that are available to the general public. The DoD\nCERT, through a designated discrepancy tracking coordinator, monitors the\nresponses to the JWRAC, determines whether the discrepancies have been\nresolved and, if so, closes out the tracking database. If the discrepancies have not\nbeen resolved, the discrepancy tracking coordinator would bring the response to\nthe Chief, DoD CERT for escalation to closure. Escalating the discrepancy to\nclosure requires the Chief, DoD CERT to contact the Web-site owner and request\nimmediate removal of the inappropriate information.\n\n\n\n\n                                      2\n\x0cObjectives\n\n     Our objective was to evaluate policies and practices for Web site administration\n     and oversight at selected DoD agencies. Specifically, we reviewed how the\n     Defense Logistics Agency; the General Counsel, Office of the Secretary of\n     Defense; and the U. S. Space Command host official Web sites, and how the DoD\n     agencies register the Web sites, monitor compliance with policy, and safeguard\n     information displayed. In addition, we reviewed the DoD process for identifying\n     and removing inappropriate information from publicly accessible DoD Web sites.\n     We also evaluated the management control program as it relates to the overall\n     objective.\n\n     The results of our review on how selected DoD agencies register and monitor\n     Web sites are included in Appendix B. The process for identification, removal,\n     and oversight of inappropriate information on publicly accessible DoD Web sites\n     warrants management attention and is discussed in the Finding section of this\n     report. See Appendix A for a discussion of the audit scope and methodology, the\n     management control program, and prior audit coverage.\n\n\n\n\n                                        3\n\x0c               Inappropriate Information on Publicly\n               Accessible DoD Web Sites\n               As of May 2002, 30 of 200 disclosures on publicly accessible DoD Web\n               sites that the JWRAC previously identified as inappropriate were still\n               available for public viewing because the Assistant Secretary of Defense\n               (Command, Control, Communications, and Intelligence) did not establish:\n\n                  \xe2\x80\xa2   a mechanism to remove potentially inappropriate information from\n                      Web sites, and\n\n                  \xe2\x80\xa2   an adjudication process to resolve differences between the Joint\n                      Web Risk Assessment Cell and Web-site owners on whether\n                      disclosures were inappropriate.\n\n               In addition, the Defense Information Systems Agency had not completed\n               the \xe2\x80\x9cJWRAC Standard Operating Procedures for Discrepancy Reporting\n               and Tracking\xe2\x80\x9d in a timely manner. As a result, DoD Web-site owners\n               were not providing consistent levels of assurance that only appropriate\n               information is posted on their publicly accessible Web sites.\n\nInformation Reported on DoD Public Web Sites\n\n     Results of the Joint Web Risk Assessment Cell. In November 2001, the\n     JWRAC Team Chief provided us with eight End of Tour Reports, issued between\n     April and September 2001, which contained 200 violations. We summarized the\n     reports and identified the descriptions and the number of violations by Service and\n     DoD agency as shown in Table 1.\n\n                       Table 1. JWRAC-Verified Web Site Violations\n                                                      Air    Marine    DoD\n     Description of Violations        Army   Navy    Force    Corps   Agencies   Total\n     Operation plans                   19     6       16       6         2        49\n     For Official Use Only             11     7       12       4        26        60\n     Military personnel information\n      such as social security numbers   4        7    1        0        0         12\n     Reserve Officer Training Corps\n      fax numbers                      39        0    0        0        0         39\n     Other                              2        2    3        0        8         15\n     Details of radio frequencies       0        0    7        0        0          7\n     Internal policies and procedures   2        2    0        0        9         13\n     Root internet protocol addresses   0        0    0        0        5          5\n\n       Total                         77      24      39       10       50        200\n\n\n\n\n                                             4\n\x0cInappropriate Disclosures Remaining on Web Sites. In May 2002, we\naccessed the 200 Web site locations to determine whether the information\nreported by the JWRAC was still present. Of the 200 disclosures that were cited\nin the 8 JWRAC reports, 30 (15 percent) still contained the inappropriate data.\nWe summarized the results in Table 2 by description of the violation, the number\nof occurrences, the Service, and DoD agency.\n\n      Table 2. JWRAC-Verified Web Sites With Violations Remaining\n\n                                                     Air     DoD\nDescription of Violations           Army      Navy   Force   Agencies   Total\nOperation plans                      0         0      2        0          2\nFor Official Use Only                3         0      2        7         12\nOther                                0         2      0        4          6\nInternal policies and procedures     2         0      0        4          6\nRoot internet protocol addresses     0         0      0        4          4\n Total                               5         2      4       19         30\n\n\nThere were 30 inappropriate disclosures of information remaining on DoD Web\nsites that were still available to the general public in May 2002, almost 8 months\nafter the JWRAC issued the September 2001 report. We determined that 14 of the\n30 (46 percent) Web sites contained potentially major violations because they\nshowed operation plans and \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d data.\n\nAuthority for Suspension or Removal of Inappropriate Information. The\nJWRAC analyzed data on DoD Web sites and verified that Web-site violations\nhad occurred. The Team Chief, JWRAC reported the verified violations in an\nEnd of Tour Report to the Chief, DoD CERT. The Team Chief informed us that\nhe then prepared the Messages for the violations, which the Chief, DoD CERT\nreviewed and forwarded to the Joint Task Force-Computer Network Operations\nwho forwards it to the organizations whose Web sites contained the inappropriate\ninformation.\n\nThe previously described process is contained in the draft \xe2\x80\x9cJWRAC Standard\nOperating Procedures for Discrepancy Reporting and Tracking.\xe2\x80\x9d Officials stated\nthat, beginning in October 2001, the procedures would be used as a working\ndocument while they were being refined and improved; however, the procedures\ncontained an underlying assumption that the Web-site owner would concur or that\nresolution would occur within a short time frame, and that the Web-site owner\nwould remove the inappropriate information.\n\nWhen differences arise between the Web-site owner and the JWRAC Team Chief\non whether a violation has occurred, the current practice is for the discrepancy\ntracking coordinator to bring the Web-site owner\xe2\x80\x99s response to the Chief, DoD\nCERT for escalation to closure. However, a mechanism is needed to remove the\nWeb page containing the potentially inappropriate information from public view\nuntil an adjudication authority makes a decision. Additionally, disagreements on\nthe appropriateness of the information require an adjudication authority to make a\ntimely decision.\n\n\n\n                                     5\n\x0cDiscrepancy Reporting and Tracking\n\n     Of the eight End of Tour Reports issued by the JWRAC, only one included all\n     three categories of critical, major, and minor violations. Two of the reports\n     included only major violations when they should also have included minor\n     violations, two included critical violations when they should also have addressed\n     major and minor violations, one addressed critical and major violations when they\n     should also have addressed minor violations, and two reports did not categorize\n     violations.\n\n     The reports must address the type of violation because that is how the urgency of\n     resolution and the suspense time frame for a response by the Web-site owner are\n     determined. The JWRAC Team Chief could not explain this condition except to\n     indicate that the reporting process was still evolving.\n\n     In addition, officials stated that they were unable to provide us with the Messages\n     sent to the Web-site owners for violations recorded in the eight End of Tour\n     Reports because the CERT did not retain them. Also, the database maintained by\n     the Chief, DoD CERT was not updated to show whether notifications were\n     delayed, whether follow-up actions were required or taken on nonresponses, and\n     whether the inappropriate information was still on the Web site. Officials\n     informed us that the CERT planned to migrate the information to a new database\n     but migration had not occurred because of funding constraints. They believed that\n     many of the problems we identified were a result of the still-evolving reporting\n     and recording process. The Chief, DoD CERT verbally approved the draft\n     \xe2\x80\x9cJWRAC Standard Operating Procedures for Discrepancy Reporting and\n     Tracking\xe2\x80\x9d for incident reporting for use in May 2001. Officials agreed that the\n     draft would be used as a working document while the reporting procedures\n     continued to be refined and improved. The present procedures, dated October 18,\n     2001, were being updated.\n\n     The JWRAC reports must be consistent in identifying the category of\n     inappropriate disclosures to allow the DoD CERT to track Messages of potential\n     violations and identify the response time required by Web-site owners. Also, the\n     database must be kept current on the status of each finding, the timeliness of\n     responses, and whether the issues were resolved and the inappropriate information\n     was removed. A consistent and up-to-date database will provide an accurate\n     assessment of Web site information and will allow DoD to take appropriate action\n     to remove information that poses potential or real threats to ongoing operations\n     and DoD personnel. In addition, the draft reporting procedures should be\n     completed, published, and complied with because they provide DoD officials with\n     a reporting and recording mechanism for inappropriate disclosures identified by\n     the JWRAC.\n\n\n\n\n                                          6\n\x0cSummary\n\n     Publicly accessible DoD Web sites must be informative and contain only\n     information that is appropriate for public release. The JWRAC is responsible for\n     analyzing data on DoD Web sites and informing the Chief, DoD CERT of\n     potential or real threats to ongoing operations and DoD personnel. The DoD\n     CERT Tracking Coordinator notifies the offending Web-site owner, monitors the\n     owner\xe2\x80\x99s responses, determines whether discrepancies have been resolved, follows\n     up on nonresponses within the stated time frame, and maintains the tracking\n     database. However, inappropriate information is not always removed.\n     Additionally, disagreements on the inappropriateness of the information require a\n     timely decision from an adjudication authority.\n\nManagement Comments on the Finding\n\n     Although not required to comment, the Director of Information Operations, Chief\n     Information Officer, Defense Logistics Agency provided comments to the draft\n     audit report. She concurred with the finding and recommendations and suggested\n     several editorial changes.\n\nRecommendations, Management Comments, And Audit Response\n\n     1. We recommend that the Assistant Secretary of Defense (Command,\n     Control, Communications, and Intelligence):\n\n             a. Suspend Web pages that contain potentially inappropriate\n     information identified in the Joint Web Risk Assessment Cell reports as part\n     of the adjudication process until resolution is achieved.\n\n     Management Comments. The Deputy Assistant Secretary of Defense (Security\n     and Information Operations) provided comments for the Assistant Secretary of\n     Defense (Command, Control, Communications, and Intelligence). She non-\n     concurred with the recommendation and stated that the Web site posting review\n     process is part of Operations Security, which is governed by\n     DoD Directive 5205.2, \xe2\x80\x9cDoD Operations Security Program.\xe2\x80\x9d The Directive\n     recognizes that decisions regarding operational security are made by those\n     responsible for mission accomplishment. Consequently, the Web posting\n     responsibility is within the scope of the local commander\xe2\x80\x99s authority unless a\n     higher adjudicating authority overturns the decision on appropriateness of page\n     content. The Deputy Assistant Secretary stated that because the information in\n     dispute is not classified, there is no reason to preempt the decision of command\n     authority pending resolution of any disagreement.\n\n     Audit Response. Management comments were not responsive. Although the\n     Deputy Assistant Secretary nonconcurred with the recommendation, it is evident\n     that existing procedures used by local commanders are not adequate.\n     Inappropriate information on 30 of 200 DoD Web site locations was still available\n     to the general public in May 2002, almost 8 months after the JWRAC issued the\n     September 2001 report. Of the 30 disclosures 14 (46 percent) contained\n\n\n                                         7\n\x0cpotentially major violations because they showed operation plans and \xe2\x80\x9cFor\nOfficial Use Only\xe2\x80\x9d data. Additionally, unclassified data may through compilation\nalso pose security risk. Accordingly, information that may place DoD at increased\nrisk must be suspended until resolved through an adjudication process.\n\n       b. Establish a corresponding mechanism in the \xe2\x80\x9cJoint Web Risk\nAssessment Cell\xe2\x80\x99s Standard Operating Procedures for Discrepancy\nReporting and Tracking,\xe2\x80\x9d that adjudicates disagreements on inappropriate\ninformation between the Joint Web Risk Assessment Cell and Web-site\nowner.\n\nManagement Comments. The Deputy Assistant Secretary partially concurred\nwith the recommendation. She agreed that a timely adjudication process is\nrequired to resolve questions or disagreements on the appropriateness of\ninformation posted on public Web sites. However, she stated that the Joint Web\nRisk Assessment Cell\xe2\x80\x99s Concepts of Operations gives the Director of the Defense\nInformation Systems Agency the responsibility and authority to establish\noperating procedures. The Deputy Assistant Secretary agreed to work with\nDefense Information Systems Agency to define a mechanism for adjudicating\ndisagreements over findings. Once it is defined, she agreed to include the\nmechanism in the Joint Web Risk Assessment Cell\xe2\x80\x99s Standard Operating\nProcedures for Discrepancy Reporting and Tracking.\n\nAudit Response. Although the Deputy Secretary partially concurred, her\nproposed actions will meet the intent of the recommendation.\n\n2. We recommend that the Director, Defense Information Systems Agency\ncomplete, publish, and comply with the \xe2\x80\x9cJoint Web Risk Assessment Cell\nStandard Operating Procedures for Discrepancy Reporting and Tracking,\xe2\x80\x9d\nand maintain an up-to-date database of reported violations.\n\nManagement Comments. The Defense Information Systems Agency concurred\nwith the recommendation. Management stated that the Joint Web Risk\nAssessment Cell\xe2\x80\x99s Standard Operating Procedures for Discrepancy Reporting and\nTracking is under final review and expected to be published by June 2002.\nOfficials informed us that it was published July 1, 2002. Also, a database system\nto track the Web risk-assessment activities is expected to be online in the first\nquarter of 2003.\n\n\n\n\n                                    8\n\x0cAppendix A. Scope and Methodology\n\nScope and Methodology\n\n     We visited the Defense Logistics Agency; the Defense Supply Center-Richmond;\n     the General Counsel, Office of the Secretary of Defense; and the U.S. Space\n     Command. We selected the Defense Logistics Agency because of the number of\n     publicly accessible Web sites that were registered in the Defense Link. We\n     selected the Defense Supply Center-Richmond because it is one the Defense\n     Logistics Agency\xe2\x80\x99s publicly accessible Web sites. We selected the General\n     Counsel, Office of the Secretary of Defense and the U. S. Space Command\n     because of the number of potential violations identified in the August 2001 report\n     of the Office of the Deputy Assistant Secretary of Defense (Intelligence). We\n     reviewed and evaluated the Web site policies and conducted discussions with\n     officials in the Office of the Assistant Secretary of Defense (Command, Control,\n     Communications, and Intelligence); the Defense Logistics Agency; the Defense\n     Supply Center-Richmond; General Counsel, Office of the Secretary of Defense;\n     and the U.S. Space Command to evaluate whether policies and practices for\n     publicly accessible DoD Web sites were adequate. We reviewed records and\n     documents dated from December 1998 through May 2002.\n\n     General Accounting Office High-Risk Area. The General Accounting Office\n     has identified several high-risk areas in DoD. This report provides coverage of\n     the Information Security high-risk area.\n\n     Audit Dates and Standards. We performed this audit from May 2001 through\n     May 2002 in accordance with generally accepted government auditing standards.\n\n     Use of Computer-Processed Data. We relied on computer-processed data\n     without performing tests of system general and application controls to confirm the\n     reliability of the database. However, not establishing the reliability of the\n     database will not affect the results of our audit. We relied on judgmental\n     sampling procedures to develop conclusions on this audit.\n\n     Contacts During the Audit. We visited or contacted individuals and\n     organizations within DoD. Further details are available on request.\n\nManagement Control Program Review\n\n     DoD Directive 5010.38, \xe2\x80\x9c Management Control Program,\xe2\x80\x9d August 26, 1996, and\n     DoD Instruction 5010.40, \xe2\x80\x9cManagement Controls Program Procedures,\xe2\x80\x9d\n     August 28, 1996, require DoD managers to implement a comprehensive system of\n     management controls that provide reasonable assurance that programs are\n     operating as intended and to evaluate the adequacy of the controls.\n\n     Scope of the Review of the Management Control Program. We reviewed the\n     adequacy of DoD management controls over DoD policies and practices for Web\n     site administration and oversight. In assessing those controls, we evaluated\n\n\n                                          9\n\x0c     policies and practices on how Government or other servers host official DoD Web\n     sites, and how DoD registers and monitors Web sites for compliance with policy\n     and safeguards sensitive information. We reviewed management\xe2\x80\x99s self-evaluation\n     applicable to those controls.\n\n     Adequacy of Management Controls. We identified material management\n     control weaknesses for the Assistant Secretary of Defense (Command, Control,\n     Communications, and Intelligence) as defined by DoD Instruction 5010.40. DoD\n     management controls were not adequate to prevent the continued disclosure of\n     inappropriate data on DoD Web sites that were identified by the Joint Web Risk\n     Assessment Cell. In addition, the process for reporting and maintaining a\n     database of inappropriate information contained on publicly accessible Web sites\n     was not being followed.\n\n     The recommendations, if implemented, will improve the oversight and Web site\n     administration processes. A copy of the report will be provided to the senior\n     officials responsible for management controls in the Office of the Assistant\n     Secretary of Defense (Command, Control, Communications, and Intelligence).\n\n     Adequacy of Management\xe2\x80\x99s Self-Evaluation. In FY 2000, the Assistant\n     Secretary of Defense (Command, Control, Communication, and Intelligence) did\n     not identify oversight of DoD and Service Web sites as an assessable unit and,\n     therefore, did not identify or report the material management control weakness\n     identified by the audit.\n\nPrior Coverage\n\n     During the last 5 years, GAO has issued two reports, the Inspector General of the\n     Department of Defense has issued three reports, and the Naval Audit Service\n     issued one report on the issue of Internet privacy.\n\nGeneral Accounting Office\n     GAO Report No. GAO-01-147R, \xe2\x80\x9cInternet Privacy: Federal Agency Use of\n     Cookies,\xe2\x80\x9d October 20, 2000\n\n     GAO Report No. GAO/AIMD-00-296R (OSD Case No. 2074), \xe2\x80\x9cInternet Privacy:\n     Comparison of Federal Agency Practices With FTC\xe2\x80\x99s Fair Information\n     Principles,\xe2\x80\x9d September 11, 2000\n\n\n\n\n                                         10\n\x0cInspector General of the Department of Defense (IG DoD)\n     IG DoD Audit Report No. D2001-130, \xe2\x80\x9cDoD Internet Practices and Policies,\xe2\x80\x9d\n     May 31, 2001\n\n     IG DoD Audit Report No. D2002-0062, \xe2\x80\x9cAir Force Web Site Administration,\n     Policies, and Practices,\xe2\x80\x9d March 13, 2001\n\n     IG DoD Audit Report No. D2002-0098 \xe2\x80\x9cArmy Web Site Administration, Policies,\n     and Practices, \xe2\x80\x9d June 5, 2002\n\nNaval Audit Service\n\n     Naval Audit Service Report No. N2002-0034 \xe2\x80\x9cDepartment of the Navy Publicly\n     Accessible Web Sites,\xe2\x80\x9d March 1, 2002\n\n\n\n\n                                       11\n\x0cAppendix B. Results of Reviews at Selected DoD\n            Organizations\n   Defense Logistics Agency. The Defense Logistics Agency has 28 publicly\n   accessible Web sites that are registered in the Defense Link. In addition, the Chief\n   Information Officer, Defense Logistics Agency issued \xe2\x80\x9cDefense Logistics Agency\n   Internet Guidance,\xe2\x80\x9d August 28, 2000, that addressed Web sites\xe2\x80\x99 administration.\n   The guidance states that the Public Affairs Officer is the release authority for\n   public information. The guidance requires Public Affairs approval in\n   coordination with Internet Council approval before information is first posted on a\n   Web site and also when significant changes occur to previously released\n   information. In addition, the guidance established an Internet Council to\n   periodically review DLA Web sites to ensure that only appropriate information is\n   posted. The guidance also requires Web sites to be registered in the Defense\n   Link.\n\n   The Internet Council at the Defense Logistics Agency is responsible for ensuring\n   compliance with Agency guidance and approving Web pages for posting.\n   However, officials at the Defense Logistics Agency did not conduct the required\n   annual reviews, train Web administration officials, and provide oversight to\n   determine that only appropriate information was posted to its Web site. In\n   addition, in August 2001, the Office of the Deputy Assistant Secretary of Defense\n   (Intelligence) identified a Defense Logistics Agency Web site that contained \xe2\x80\x9cFor\n   Official Use Only\xe2\x80\x9d information. When we notified Web administration officials\n   of the inappropriate information, they removed the document from the Web site.\n\n   We visited a Web master at the Defense Supply Center-Richmond who maintains\n   a Defense Logistics Agency Web site. The Web site was registered in the Defense\n   Link, officials provided training for Web editors on Web site policy and\n   procedures, and the Web master conducted annual content reviews.\n\n   Because only one Web site contained inappropriate information and because\n   officials removed it upon notification, agreed to conduct documented annual\n   reviews, to develop a checklist to conduct the annual reviews, and to develop\n   classes for training Web administrators, we considered those actions responsive\n   and, accordingly, did not make a recommendation in this report. Since the draft\n   report was issued, DLA began the annual review process and documentation by\n   developing the checklist and also began to develop training for Web\n   administrators. (See the Management Comments section for the complete text of\n   management comments.)\n\n   Office of the General Counsel. The Office of the General Counsel for the\n   Secretary of Defense has four publicly accessible Web sites that are registered in\n   the Defense Link. Although the General Counsel does not have written Web site\n   policy, officials stated that they follow the 1998 DoD Policy; however, they did\n   not conduct the required annual review.\n\n   In August 2001, the Office of the Deputy Assistant Secretary of Defense\n   (Intelligence) identified that the General Counsel\xe2\x80\x99s Web sites contained\n\n\n                                       12\n\x0c21 postings that included the wording \xe2\x80\x9cFor Official Use Only, Until Released\nby\xe2\x80\xa6.\xe2\x80\x9d The postings were statements of DoD officials before Congress. The\nstatements were released for public viewing by the congressional committee.\nHowever, General Counsel officials did not delete the restrictive language before\nposting it to their Web page.\n\nDuring our review, officials issued written guidance to implement the 1998 DoD\nPolicy establishing a process for the release of information on the General\nCounsel Web site. The guidance provided examples of information that should\nnot be posted on Web sites that are available to the public. Officials agreed to\nconduct annual reviews and document the results. In addition, they removed the\nrestrictive language on Web pages that we identified as potentially inappropriate.\nWe viewed the Web pages and verified that the restrictive language had been\nremoved. Accordingly, we considered this a matter of interest and did not make a\nrecommendation.\nU.S. Space Command. The U.S. Space Command has two Web sites that are\nregistered in the Defense Link. Officials developed a draft operating instruction\naddressing the use of Internet and public Home pages. Because the U.S. Space\nCommand is a tenant organization on Peterson Air Force base, it follows Air\nForce policy for establishing a Web site. This policy includes an initial review of\nWeb site information by the Privacy, Staff Judge Advocate, and Public Affairs\noffices.\n\nHowever, Web administrative officials had not conducted the required annual\nreviews, established a training program for Web officials, or published policy for\nWeb page management. Also, in August 2001, the Office of the Deputy Assistant\nSecretary of Defense (Intelligence) identified social security numbers at two U.S.\nSpace Command Web sites. The Web sites that contained the potential violations\nwere Canadian Forces Web sites that were linked to the Space Command site.\nCanadian officials stated that they do not use social security numbers and could\nnot review the site\xe2\x80\x99s content because the site had been removed. U.S. Space\nCommand officials deleted the link to the Canadian site because the site contained\noutdated information and had been removed from public viewing. Officials\nagreed to conduct annual reviews and document results, update and publish\nguidance, require training for the Web master, and identify a process to establish\nand update Web pages. Accordingly, we did not make any recommendations.\n\n\n\n\n                                    13\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nGeneral Counsel, Secretary of Defense\n\nUnified Command\nCommander, U. S. Space Command\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                          14\n\x0cAssistant Secretary of Defense for Command,\nControl, Communications, and Intelligence\nComments\n\n\n\n\n                      15\n\x0c16\n\x0cDefense Information Systems Agency Comments\n\n\n\n\n                    17\n\x0c18\n\x0cDefense Logistics Agency Comments\n\n\n\n\n                     19\n\x0c20\n\x0cTeam Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing of the Department of Defense prepared this report. Personnel of the Office of\nthe Inspector General of the Department of Defense who contributed to the report are\nlisted below.\n\nMary L. Ugone\nBruce A. Burton\nThomas S. Bartoszek\nThomas J. Hilliard\nThelma E. Jackson\nCarrie J. Gravely\nMandi L. Markwart\nJenshel D. Marshall\nJacqueline N. Pugh\n\x0c'